Managing Risk in the Cloud

Before we dig into this, let me say up front, I am looking for a little reader participation on this one. I know what the clouderati think about this topic, but I really want to hear from regular folks–the ones that will be writing checks and putting the reputations is not their jobs on the line.

Over the weekend, I got a chance to catch up on my reading and ran across a couple of articles on online backup services, one in Macworld, and one in Time magazine, the latter is about as mainstream as you can get. Both articles were well done and covered things like pricing, ease of use, but both missed what I think is the most salient point.

What I want to know is what the heck is at the other end of the connection. To paraphrase a tweet I read a while back, how do you know your data is not being backed up by two guys over a chip shop (that would be a fish & chips place for my American readers). There seems to be a general perception that the cloud is some magical neverland where nothing bad ever happens, which is about as far from the truth as you can get. The problem is, unless these mis-set expectations can be nudged back into reality, market adoption of cloud computing will be battling waves of stories from disillusioned customers–its called a “chasm” for a reason :). I continue to hear from customers with analysis along the lines of: right now, storage costs us X cents/MB, but in the cloud, it only costs us Y cents/MB (where Y < X), so we are looking at moving our storage into the cloud–what do I need to be able to do that? While we can certainly help customers do that, it often turns out that they have not priced in the risks of moving something to the cloud into their analysis. In the end, moving the to cloud might still be the right thing to do, but the more rigorous analysis makes sure everyone has made an informed decisions and continues to stay employed if something goes wrong.

A number of folks have noted that the consumer market is ahead of the enterprise in adopting cloud infrastructure, cloud apps, etc (Facebook, Flicker, Mozy, etc). I think one of the reasons for this is that terms of service are pretty one sided–if your provider loses your data, you’ll get a sincere apology and that’s pretty much it. While this may fly in the consumer market, its not going to work in the enterprise market. If you are an enterprise buyer, you are probably looking to establish some basis for liablity and damages. While you are at it, yo might want to see about things like security, auditabilty and how you get your data back.

So, that brings us back to the two guys over the chip shop–just because they are a startup does not mean they aren’t running a solid operation. At the same time, we have not shortage of stories of large service providers with less than rigorous operations. As a company looking at these services, which are certainly quite enticing, how do you choose? How do you measure and validate the “goodness” of a cloud provider’s offerings?

To that end, I’d like to hear from folks that moved some portion (or all) of their organization’s data or apps into the cloud to see what they did to manage risk. Similarly, for folks that have yet to make the plunge, what kinds of things would you like to see to increase your comfort level.

9 Comments.

Great points. I think it is useful to segregate cloud providers into two primary categories: public providers and trusted providers. Public providers, such as AmazonÃƒÆ’Ã†â€™Ãƒâ€šÃ‚Â¢ÃƒÆ’Ã‚Â¢ÃƒÂ¢Ã¢â€šÂ¬Ã…Â¡Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‚Â¢ÃƒÂ¢Ã¢â€šÂ¬Ã…Â¾Ãƒâ€šÃ‚Â¢s EC2, utilize a purely Internet-based access model of shared resources via proprietary APIs . You point out some of the potential disadvantages of the public provider model. Additionally, the proprietary APIs lock customers into the providersÃƒÆ’Ã†â€™Ãƒâ€šÃ‚Â¢ÃƒÆ’Ã‚Â¢ÃƒÂ¢Ã¢â€šÂ¬Ã…Â¡Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‚Â¢ÃƒÂ¢Ã¢â€šÂ¬Ã…Â¾Ãƒâ€šÃ‚Â¢ view of control. The Internet-based access entails packet transport in unpredictable ways, leaving the potential for large amounts of latency. The combination of public provider proprietary API/environment along with Internet connectivity eliminates all customer control over ability to effectively meet SLAs and to comply with security requirements built on defense in depth strategies. Another challenge public cloud providers face is the lack of multi-tenancy containment strategies that isolate client compute, data storage infrastructure and private LAN services from shared cloud interconnect points in the architecture. Trusted cloud providers, on the other hand, are either internal or external data centers that provide resources on a rental or as-needed basis along with an engineered data transport architecture (i.e. fibre, T-1, MPLS). While by no means a panacea, trusted cloud providers do allow customers to maintain various levels of control depending upon their agreement with the trusted advisor by continuing to maintain access to, or even ownership of, equipment, software and connectivity.

MozyHome works pretty well for me ÃƒÆ’Ã†â€™Ãƒâ€šÃ‚Â¢ÃƒÆ’Ã‚Â¢ÃƒÂ¢Ã¢â€šÂ¬Ã…Â¡Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‚Â¢ÃƒÂ¢Ã¢â‚¬Å¡Ã‚Â¬Ãƒâ€¦Ã¢â‚¬Å“ on both Mac and PC. MozyPro needs a lot work, however ÃƒÆ’Ã†â€™Ãƒâ€šÃ‚Â¢ÃƒÆ’Ã‚Â¢ÃƒÂ¢Ã¢â€šÂ¬Ã…Â¡Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‚Â¢ÃƒÂ¢Ã¢â‚¬Å¡Ã‚Â¬Ãƒâ€¦Ã¢â‚¬Å“ the interface is extremely convoluted and not user friendly at all.

ChiliPepr:I actually use MozyHome too and I am pleased with it. However, to reinforce my point in my post, I don't use it cheaper backing up to a disk that I own, instead, I use it to augment the Drobo/Time Machine set I have to back up my family Mac by giving me an offsite backup. So, in my case, the cloud"" is not lowering my costs, but it is allowing me to do something I probably could not easily pull off otherwise.Omar"

Hi, I have limited knowledge of the transport layers in service provider networks and I'm interested to know if/how Cloud Computing"" may impact layers 1 and 2 - optical and transport planning. My understanding is that QoS is influenced by transport choice (TDM/Packet) and capacity is allocated by L2 (switching and aggregation). Does anybody have any comments on how ""Cloud Computing"" might influence transport network design/management - or is this solely a service/application story?"

Cloud Computing is no longer a novelty, its becoming reality. Though, we have alot of clients who are very concerned re: the security implications of the Cloud"" - ie. the USA Patriot Act and how the US government can look at their data."

Am working towards my CCNA and Net+ certification, so am new at all this. But will be doing a term presentation on certain aspects of cloud computing (security and ethical risks). Hadn't considered Patriot Act implications, but am wondering how HIPPA regs will impact the privacy and safety of either consumer or enterprise data. Are there ample cases today of this data being compromised? And what penalties are there for network admins who work as contractors or employees in corporations should a security breach take place in a cloud computing scenario?marc

An interesting debate. I almost jumped on one of your statements early in the piece but then noted that you addressed it yourself later. That point that being that 'bigger is not necessarily better'. The great (and perhaps scary) thing about all aspects of the Internet is that two guys above a chip shop can provide a service of equal quality to (or better than) the largest of corporations. The tricky part is that it's difficult to find out who's behind things and their pedigree.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.